In last week’s article ‘OT Integrity, Step 1: Build It Secure’, we used the analogy of a bank building to explain the process of creating a security-oriented foundation for an OT network and its assets. This week, we’ll continue with ideas crucial to the long-term maintenance of security for OT work sites.
Keeping your network secure means taking care of maintenance and day-to-day priorities, especially as defined by pre-designed security policies and controls. For example, what procedures does a security team follow to prevent incidents? How many people have the privileges necessary to unlock the front door?
If you wouldn’t want so many people being able to unlock your front door, one approach is to think of your network and its different sensitive areas in the same way. Keeping it secure is thus split into two categories, security program development and security control. As the process of “building it secure” refers to the building’s design and structure, the process of ‘keeping it secure’ would involve things like the on-site security guards, CCTV cameras, and different kinds of locks on doors. This is viewed in two categories, ‘security program development’ and ‘security control’.
The first category of ‘Keeping It Secure’, security program development, has a heavy focus on policy management and the selection of the ideal defenses. This includes:
- The overall upkeep of the network is crucial. Is the network segmented? How is visibility created? Our Edge series can segment networks, offers deep packet inspection (DPI), and provides OT protocol-based trust lists for assets.
- Work site assets will be organized to maximize availability, and then secured based on the operational needs of each asset.
- Solutions should be consistently deployed to create ‘defense-in-depth’ architecture. ‘Defense-in-depth’ refers to the deployment of multiple overlapping defensive solutions, so that when one safeguard fails there are others still holding up the line of defense. For example, in addition to network segmentation, multiple trust lists could be in use that set privileges based on device or control commands, as well as virtual patching to secure vulnerabilities in legacy devices (which often cannot be patched) – these features can actually all come from the same device, our own EdgeFire.
- Firewall policies must be informed by the operational needs of assets, with policy execution informed by a high degree of protocol sensitivity.
- Policies based on “least privilege” should be used whenever possible. This is the principle that privilege given on the network should always be the least amount necessary for the asset or personnel to do their job.
The second category of ‘Keeping It Secure’, security control, is focused on making necessary information and guidelines as available as possible:
- The Risk Assessment Framework (RAF) should be applied to the ICS. The steps of RAF are categorization, selection, implementation, assessment, authorization, and monitoring. This process was created to create information resources that can be easily shared and understood by staff from both technical and non-technical backgrounds.
- Resources should be classified and guidelines created according to the 18 NIST SP 800-53 control families, which are a cybersecurity framework created by the National Institute of Standards and Technology (NIST). ‘Access Control’, which refers to who has access to the system and their level of privilege, and ‘Awareness and Training’, which refers to security education for staff, are examples of two of these control families.
‘Building It Secure’ and ‘Keeping It Secure’ are designed to help enterprises leverage integrated planning, procedures, and information availability. Choosing the solutions themselves that will fill these guidelines and empower this framework falls to the stakeholder responsible for ICS security, and ideal solutions for work sites place emphasis on operational integrity and maximized availability. Similarly, chosen solutions need to be designed in a way that makes it easy for the organization’s cybersecurity specialists to keep them running with as little downtime as possible – such designs should include a convenient and minimally necessary update process, ease of maintenance, and a large MTBF (Mean Time Between Failure).
TXOne Networks offers a suite of cybersecurity solutions tailored to the needs of operational technology, maximizing visibility and with a focus on keeping the operation running.
Learn more about:
Virtual patching (protection for legacy and unpatched devices)